The term “phishing” refers to the malicious practice of trying to extract sensitive information (such as passwords) from users. Compared to numerous other Internet-related terms, “phishing” is one of the least understood ones among users. I have found this in my work as have others in theirs. Of course, it may be that people understand the concept of phishing without knowing it is called as such. It is difficult to do large-scale data collection using more elaborate methods, but I implemented some related questions on a survey recently taken by over one hundred students who were randomly sampled from a diverse group. (See the end of this post for details about the data set.)
In the context of a larger study, I showed participants three hypothetical emails and offered several options for how they might proceed (respondents could check off several actions such as “delete it”, “ignore it”, “forward to tech support with a question”, etc.). When shown an email that looked very much like the one that comes from the IT department of the university (one that would not be hard to replicate by someone with malicious intent) over half of respondents said they would “follow the instructions outlined in the email”, which included going to a Web site and entering their username and password. Even more students said that they would “click on the links in the message and follow the instructions on those pages”. Less than 15 percent checked off the option of contacting tech support with a question or reporting the email as abuse. And in the open-ended field where respondents could explain what else they might do, only one student described actions that suggested the potential problem with the email. This among the generation that is supposedly savvy about digital media. See my forthcoming paper on The Role of Expertise in Navigating Links of Influence for more on this (especially pp. 12-19.).
When I talk to my students (at a different school than where the above study was conducted) about online privacy and security issues, and ask them about the potential implications, the usual response is about financial concerns: credit card numbers stolen, money lost. However, as I try to remind them several times throughout the course, financial issues are not the only ones at stake when managing one’s identity and actions online. For example, in the realm of health and politics one can easily come up with examples of cases where third parties should not have access to our information.
And then there is reputation. I have noticed some troubling incidents on Flickr recently and wanted to write a post about these experiences to remind people about the importance of being vigilant. Don’t stop reading just because you are not a Flickr user, by the way. These same issues could occur on lots of other sites as well.